A top level Google security researcher has found a series of critical vulnerabilities in most of Symantec’s enterprise and consumer products, that were, apparently, ridiculously easy to exploit by hackers.
Symantec, which patched the eight security flaws discovered said: “Fixes are currently in place, and updates are now available for customers to install.”
The vulnerabilities were, fortunately for millions of computer users worldwide, fixed before the team from Google’s Project Zero made the details public.
The Project Zero research group was specifically set up by Google to try and help make the internet safer, by discovering security holes in software before hackers can exploit them.
Researchers working at Google’s Project Zero told Symantec of the “multiple critical vulnerabilities”, saying that the flaws were “as bad as it gets”.
The flaws were found, surprise-surprise, by Tavis Ormandy, an outspoken but effective researcher with the Project Zero team who has found similar vulnerabilities in antivirus products from other vendors, and been vocal in his disparaging remarks.
Ormandy found vulnerabilities in the Symantec code used to handle ZIP, RAR, LZH, LHA, CAB, MIME, TNEF and PPT files, which can, in the right circumstances, be used by hackers for remote code execution and also be used to create computer worms.
Ormandy, as is standard practice, only published the blog post after Symantec fixed the problems, acknowledging the fact that Symantec when informed, had moved “quickly.”
That said, Symantec came in for some extremely harsh criticism from Ormandy which for its lack of oversight for its own vulnerability management.
“Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries … but hadn’t updated them in at least 7 years.”
It’s easy to understand why Ormandy gets so irate at the so called ‘security experts.’ Ordinary computer users rely on anti-malware products from companies like Symantec to keep their data secure, and when they can’t even protect their own files, what hope does anyone else have?